Key Takeaways
| Key Takeaways |
| A hazard is any source of potential harm — a condition, object, activity, or substance that could cause injury, damage, or loss. A risk is the likelihood that exposure to a hazard will produce an adverse outcome, combined with the severity of that outcome. |
| ISO 31000 defines risk as the “effect of uncertainty on objectives,” broadening the concept beyond negative outcomes to include missed opportunities. Hazards are one category of risk — those with purely negative potential consequences. |
| Risk = Likelihood × Impact. A hazard with high severity but extremely low likelihood may pose less risk than a moderate hazard encountered daily. Scoring both dimensions on a 5×5 matrix enables prioritization. |
| Hazards fall into six categories: physical, chemical, biological, ergonomic, psychosocial, and environmental. Each category requires distinct identification techniques and control strategies. |
| The Hierarchy of Controls (eliminate, substitute, engineer, administrate, PPE) provides a ranked approach to treating hazards. Eliminating the hazard always outperforms relying on personal protective equipment. |
| OSHA reports that employers with effective hazard identification and risk management programs see up to 52% fewer injuries and illnesses than the industry average. |
Risk and hazard are two of the most frequently confused terms in safety, compliance, and enterprise risk management.
Professionals use them interchangeably in everyday conversation, but in standards like ISO 31000, ISO 45001, and OSHA’s regulatory framework, each term carries a precise meaning that shapes how organizations identify threats, allocate resources, and design controls.
Getting the distinction wrong has real consequences. Confusing a hazard (the source of potential harm) with a risk (the probability and impact of that harm occurring) leads to misallocated budgets, poorly designed controls, and compliance gaps.
A warehouse storing flammable chemicals has a hazard. The risk depends on storage conditions, ignition sources, training, suppression systems, and proximity to people. Address only the hazard label and you miss the risk variables that actually drive outcomes.
This guide defines both terms through the lens of ISO 31000, OSHA, and COSO ERM, maps the six categories of workplace hazards, explains how to assess risk using a structured methodology, and provides a practical framework to manage both effectively.
Defining Hazard and Risk: The Precise Difference
What Is a Hazard?
A hazard is any source of potential harm. OSHA defines hazards as conditions, practices, or substances that can cause injury, illness, or death. ISO 45001 uses a similar definition: a source or situation with a potential to cause harm in terms of human injury or ill health. The key word is potential.
A hazard exists independently of anyone being harmed. A live electrical wire behind an unlocked panel is a hazard regardless of how many people work nearby.
What Is Risk?
ISO 31000:2018 defines risk as the “effect of uncertainty on objectives.” This definition is deliberately broad — risk encompasses both threats (negative effects) and opportunities (positive effects).
In occupational health and safety contexts, risk narrows to the combination of the likelihood that a hazard will cause harm and the severity of that harm.
The formula underpinning every risk assessment matrix is: Risk = Likelihood × Impact. A hazard with catastrophic potential but near-zero likelihood may score lower than a moderate hazard workers encounter every shift.
Hazard vs. Risk: Side-by-Side Comparison
| Dimension | Hazard | Risk |
| Definition | A source, situation, or act with potential to cause harm | The likelihood that exposure to a hazard will produce harm, combined with severity |
| Nature | Static — exists as an inherent property of a substance, condition, or activity | Dynamic — changes with exposure, controls, environment, and behavior |
| ISO Standard | ISO 45001 (OHS); ISO 31000 categorizes hazards as risks with negative-only outcomes | ISO 31000:2018 defines risk as “effect of uncertainty on objectives” |
| Example | A 15-foot-high unguarded platform | The probability of a worker falling from the platform and the resulting injury severity |
| Question Answered | “What could cause harm?” | “How likely is harm, and how bad would the outcome be?” |
| Management Approach | Identify and catalog through hazard identification (HAZID), workplace inspections, job safety analysis | Assess and prioritize through risk assessment; treat using the Hierarchy of Controls |
| Measurement | Presence/absence; type and category | Numerical score (Likelihood × Impact); qualitative rating (Low/Medium/High/Critical) |
The practical takeaway: hazard identification answers “what could go wrong?” while risk assessment answers “how worried should we be, and what should we do about the concern?” Both are sequential steps in the same process.
Six Categories of Hazards Every Risk Professional Must Know
A comprehensive hazard and risk assessment requires a structured taxonomy. The table below classifies hazards into six standard categories used across OSHA, ISO 45001, and workplace safety frameworks.
| Category | Description | Examples | Typical Assessment Method |
| Physical | Energy sources or conditions that can cause bodily harm through force, temperature, pressure, noise, or radiation | Unguarded machinery, falls from height, electrical exposure, extreme temperatures, noise >85 dB, ionizing radiation | Workplace inspection; Job Safety Analysis (JSA); engineering surveys |
| Chemical | Substances that can cause harm through inhalation, skin contact, ingestion, or environmental release | Acids, solvents, gases, dusts, fumes, pesticides, asbestos, lead | Safety Data Sheets (SDS); air monitoring; COSHH assessments |
| Biological | Living organisms or their byproducts that can cause infection, allergy, or toxicity | Bacteria, viruses, fungi, parasites, blood-borne pathogens, animal bites, mold | Exposure assessments; biological monitoring; infection control audits |
| Ergonomic | Workplace design factors that strain the body, causing musculoskeletal disorders over time | Repetitive motions, awkward postures, heavy lifting, prolonged sitting, vibration, poor workstation design | Ergonomic assessments; RULA/REBA analysis; injury trend data |
| Psychosocial | Work organization and social factors that affect mental health, well-being, and behavior | Workplace violence, bullying, excessive workload, role ambiguity, shift work, job insecurity, harassment | Psychosocial risk surveys; stress audits; absenteeism trend analysis |
| Environmental | External or site-related conditions that create exposure to natural or man-made hazards | Extreme weather, poor air quality, contaminated water, noise pollution, confined spaces, working at remote sites | Environmental monitoring; site risk assessments; emergency preparedness reviews |
From Hazard to Risk: The Risk Assessment Process
Hazard identification is step one. The risk assessment process then evaluates each hazard through a structured sequence that determines exposure, likelihood, and impact — converting a catalog of hazards into a prioritized risk register.
| Step | Action | Output | Standards Reference |
| 1. Identify Hazards | Walk-through inspections, JSAs, incident data review, SDS review, employee interviews, HAZID workshops | Hazard inventory organized by category and location | ISO 45001 Clause 6.1.2.1; OSHA 29 CFR 1910.132 |
| 2. Determine Who/What Is at Risk | Map exposed populations (workers, contractors, visitors, community), assets, and critical processes | Exposure register with population counts and exposure duration | ISO 31000 Clause 6.3; ISO 45001 Clause 6.1.2 |
| 3. Evaluate the Risk | Score each hazard on a 5×5 Likelihood × Impact matrix; consider existing controls to determine residual risk | Completed risk register with inherent and residual scores; heat map | ISO 31000 Clause 6.4; COSO ERM (Performance component) |
| 4. Implement Controls | Apply the Hierarchy of Controls: eliminate → substitute → engineer → administrate → PPE | Control action plans with owners, deadlines, and budgets | ISO 45001 Clause 8.1.2; NIOSH Hierarchy of Controls |
| 5. Record and Review | Document findings in a risk register; schedule periodic reviews and re-assessments; monitor KRIs | Updated risk register; quarterly review calendar; KRI dashboard | ISO 31000 Clause 6.6; ISO 45001 Clause 9.1 |
The Hierarchy of Controls: Treating Hazards from Most to Least Effective
Developed by NIOSH and embedded in ISO 45001, the Hierarchy of Controls ranks treatment strategies from most effective (elimination) to least effective (PPE).
A common mistake is jumping straight to PPE — the cheapest but weakest control. The table below ranks each level with practical examples and effectiveness indicators.
| Level | Description | Example | Effectiveness |
| 1. Elimination | Physically remove the hazard from the workplace entirely | Automate a process to remove workers from a confined space; discontinue use of a toxic chemical | Highest — hazard no longer exists; zero residual risk from that source |
| 2. Substitution | Replace the hazard with a less dangerous alternative | Swap a solvent-based paint with a water-based formulation; use a lower-voltage power tool | Very high — residual hazard reduced but not eliminated |
| 3. Engineering Controls | Isolate people from the hazard through physical barriers, ventilation, or design changes | Install machine guards, fume extraction hoods, fall-arrest anchor points, sound-dampening enclosures | High — does not depend on worker behavior; requires maintenance |
| 4. Administrative Controls | Change work procedures, policies, training, or scheduling to reduce exposure | Rotating workers to limit noise exposure time; posting warning signs; mandatory safety briefings; permit-to-work systems | Moderate — depends on consistent worker compliance and management enforcement |
| 5. PPE | Provide personal protective equipment as the last line of defense | Hard hats, respirators, safety glasses, hearing protection, chemical gloves, fall harnesses | Lowest — does not reduce the hazard itself; depends entirely on correct and consistent use |
Apply controls in descending order. Always exhaust higher-level options before resorting to administrative measures or PPE.
Read our guide on risk treatment strategies and risk mitigation approaches to see how this hierarchy applies beyond occupational safety to enterprise-wide risk management.
Risk and Hazard in the Enterprise Risk Management Context
The hazard-risk distinction applies beyond workplace safety. Under ISO 31000, hazards are one category within a broader risk universe that includes strategic risks, financial risks, compliance risks, and opportunity risks.
The ISO 31000 framework classifies all uncertain events by their potential outcome: hazards (negative only), controls (uncertain outcome), and opportunities (positive only).
| ISO 31000 Risk Category | Definition | Examples |
| Hazard Risk | Uncertain events that can only produce negative outcomes | Workplace injuries, cyberattacks, natural disasters, regulatory penalties, fraud |
| Control Risk | Uncertain events whose outcomes could be positive or negative | A new software deployment that may improve efficiency or cause outages; a market expansion that may succeed or fail |
| Opportunity Risk | Uncertain events that can only produce positive outcomes | Early adoption of AI that could yield competitive advantage; entering an underserved market segment |
This broader classification matters because enterprise risk management frameworks must account for all three categories.
A risk register that only tracks hazards misses control risks and opportunities that shape strategic outcomes.
The Three Lines Model assigns hazard-risk ownership to first-line business units, with the risk function (second line) providing the methodology and assurance, and internal audit (third line) independently testing effectiveness.
Key Risk Indicators to Monitor Hazards and Risks
Static hazard inventories lose value without active monitoring. The following KRI examples track both the presence of hazards and the effectiveness of risk controls across common categories.
| Domain | KRI | Green | Amber | Red |
| Workplace Safety | Lost-time injury frequency rate (LTIFR) | <1.0 | 1.0–3.0 | >3.0 |
| Hazard Identification | Open hazard reports unresolved >30 days | <3 | 3–10 | >10 |
| Training | % workforce with current safety training | 100% | 90–99% | <90% |
| Inspections | Scheduled inspections completed on time (%) | 100% | 85–99% | <85% |
| Chemical Safety | SDS review currency (%) | >95% | 80–95% | <80% |
| Ergonomic | Musculoskeletal disorder claims per 100 employees | <0.5 | 0.5–1.5 | >1.5 |
| Near-Miss Reporting | Near-miss reports submitted per month | Trending up | Stable | Trending down (indicates under-reporting) |
| Risk Treatment | Overdue risk treatment actions (count) | 0 | 1–5 | >5 |
Learn how to build an effective monitoring system with our KRI dashboard best practices guide and understand the difference between KRIs and KPIs so your dashboard drives risk-informed decisions.
Implementation Roadmap
Moving from informal hazard awareness to a structured risk and hazard management program takes focused effort. This roadmap breaks the transition into three phases.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Foundation | Establish a hazard and risk management policy; define the risk assessment methodology (5×5 matrix, Hierarchy of Controls); train assessment leaders; create hazard reporting channels | Signed policy document; risk assessment methodology guide; trained assessment team (min. 5 leaders); digital hazard reporting form | Policy approved by leadership; methodology guide distributed; reporting channel active with first submissions received |
| Days 31–60: Assessment | Conduct hazard identification across all work areas; complete risk assessments using the 5×5 matrix; populate the risk register; apply the Hierarchy of Controls to top-10 hazards | Complete hazard inventory by category and location; risk register with inherent and residual scores; control action plans with SMART targets | 100% of work areas assessed; top-10 hazards have approved treatment plans; risk register accessible to all managers |
| Days 61–90: Monitor & Embed | Build KRI dashboard; run the first quarterly review; conduct a tabletop drill on the highest-scoring scenario; present results to leadership; set 12-month review calendar | Live KRI dashboard; first quarterly review report; drill after-action report; 12-month assessment and drill calendar | Dashboard operational; quarterly report delivered to leadership; drill completed with 100% IRT participation; all critical action items have assigned owners |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Using “hazard” and “risk” interchangeably in reports and registers | No standardized definitions; no training on terminology | Adopt ISO 31000 and ISO 45001 definitions organization-wide; include a glossary in every risk document |
| Hazard identification stops at physical hazards; psychosocial and ergonomic hazards ignored | Narrow focus on visible dangers; no structured taxonomy | Use the six-category hazard taxonomy (physical, chemical, biological, ergonomic, psychosocial, environmental) in every assessment |
| Risk assessments are subjective and inconsistent across teams | No calibration; different scoring interpretations | Publish a scoring guide with worked examples; run annual calibration workshops; use the same 5×5 matrix across all units |
| Controls default to PPE instead of higher-order measures | PPE is cheapest and fastest to deploy; Hierarchy of Controls not enforced | Mandate that every risk treatment plan documents why higher-level controls (elimination, substitution, engineering) are not feasible before approving PPE |
| Hazard reports submitted but never actioned | No accountability; no tracking system; no feedback to reporters | Assign every hazard report to a named owner with a deadline; publish monthly closure rates; recognize top reporters |
| Risk register is a static spreadsheet reviewed once a year | No monitoring cadence; no KRIs; no link to incident data | Build a KRI dashboard with automated feeds; link incident investigations to root-cause hazards; enforce quarterly register reviews |
| Near-miss reporting is low | Blame culture; no incentive; reporting channels inconvenient | Implement a no-blame reporting policy; make submissions mobile-friendly; track near-miss rate as a positive KRI (higher = better culture) |
| Leadership treats safety risk management as a compliance checkbox | Risk function disconnected from strategy; no board-level visibility | Present quarterly risk and hazard reports to the board; link injury/incident costs to P&L impact; connect hazard management to operational resilience goals |
Looking Ahead: Risk and Hazard Management Trends 2025–2027
AI-powered hazard detection is moving from pilot to production. Computer vision systems now monitor construction sites in real time, flagging workers without PPE, unauthorized access to hazard zones, and structural instability patterns.
Machine learning models trained on incident data can predict which sites face elevated risk weeks before an event occurs, enabling preemptive controls.
Organizations that integrate AI risk assessment frameworks into their safety programs will gain detection speed and predictive accuracy that manual inspections cannot match.
Psychosocial hazards are gaining regulatory attention. Several U.S. states and the EU are introducing mandatory psychosocial risk assessment requirements, recognizing that workplace stress, burnout, and harassment carry measurable health and productivity costs.
OSHA’s updated enforcement priorities reflect this shift. Organizations that proactively add psychosocial hazards to their risk registers will be ahead of the regulatory curve.
The convergence of physical and cyber hazards is creating hybrid risk scenarios that traditional safety programs miss.
A cyberattack on a building management system can disable fire suppression. A power grid failure during extreme heat creates both a physical hazard (heat exposure) and an operational risk (system downtime). Integrated risk management — connecting IT risk management with occupational safety through a unified ERM framework — is becoming essential, not optional.
The organizations that manage hazards and risks most effectively will be those that stop treating safety as a standalone function and instead embed hazard identification and risk assessment into every process, project, and decision across the enterprise.
Ready to strengthen your hazard and risk management? Visit riskpublishing.com to access risk assessment templates, hazard identification checklists, and expert guidance. Explore our risk management consulting services or contact us directly.
References
1. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization
2. ISO 45001:2018 — Occupational Health and Safety Management Systems — International Organization for Standardization
3. OSHA Hazard Identification and Assessment — Occupational Safety and Health Administration
4. NIOSH Hierarchy of Controls — National Institute for Occupational Safety and Health
5. COSO Enterprise Risk Management Framework — Committee of Sponsoring Organizations
6. OSHA Recommended Practices for Safety & Health Programs — OSHA
7. ISO 31073:2022 — Risk Management Vocabulary — International Organization for Standardization
8. NIST Risk Management Framework (SP 800-37) — National Institute of Standards and Technology
9. The IIA’s Three Lines Model — Institute of Internal Auditors
10. UNDRR Hazard Definition and Classification Review 2025 — UNDRR and ISC
11. Munich Re Natural Disaster Figures 2024 — Munich Re
12. IBM Cost of a Data Breach Report 2024 — IBM Security
13. PwC Global Risk Survey 2025 — PricewaterhouseCoopers
14. Gartner 2025 Trends for ERM Leaders — Gartner Inc.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.